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[57] ABSTRACT 

A workflow sequence specified by a process definition is 
managed by a workflow management system which enacts 
each segment in the order specified by that process defini- 
tion. Role-based access control (RBAC) is used to define 
membership of individuals in groups, i.e., to assign indi- 
viduals to roles, and to then activate the roles with respect 
to the process at appropriate points in the sequence. Any 
individual belonging to the active role can perform the next 
step in the business process. Changes in the duties and 
responsibilities of individuals as they change job assign- 
ments are greatly simplified, as their role memberships are 
simply reassigned; the workflow process is unaffected. 

4 Claims, 1 Drawing Sheet 
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WORKFLOW MANAGEMENT EMPLOYING their access is terminated. Further, the software must provide 

ROLE-BASED ACCESS CONTROL for the possibility that during each of these steps one or more 

persons may have access; for example, perhaps only one 

CROSS-REFERENCE TO RELATED vice president can approve the request, but anyone above a 

APPLJ CATION 5 certain level in the purchasing department can give the final 

. . . ■ , « approval. Workflow technology available as commercial 

This application claims priority from Provisional Patent softw ides read automation of pr0 cesses of this 

Application Ser. No. 60/032,531, filed Dec. 6, 1996. kind F ' F 

FIELD OF THE INVENTION More rigorously stated, "workflows" consist of a set of 

1° "activities" carried out in a predefined order. As such, access 

This invention relates to improvements in workflow control becomes an integral part in the enactment of a 

management, that is, to improved automation of business workflow. Each activity requires privileged "operations", 

processes carried out substantially or entirely on computer the access to which is restricted to authorized user(s) who 

systems, by incorporation of role-based access control tech- participate in that activity. Moreover, the privileged opera- 

niques. 15 ti ons permitted to a user may change as a workflow is 

processed. For example, an activity involving the purchase 

BACKGROUND OF THE INVENTION of ^ ^ iic \ c of cqu i pmea t is only permitted to a user until the 

1 Workflow Technology purchase has been completed, whereupon the permission for 

w , j * . , . „. that user to purchase the equipment is removed. 

Many business and governmental organizations are „ n r ^ r 

increasingly employing "workflow technology", that is, In presently available workflow processing software, and 

means for automation of "business processes", to improve m proposals for further enhancements, access control has 

the efficiency of their operations. A ."business process" been provided to individuals by listing the individuals 

involves the transfer of one or more documents, information, permitted to perform each of the operations defined for a 

or tasks between participants according to a set of proce- „ particular workflow. These "connections" between the lndi- 

dural rules in order to achieve business goals. In general, viduals and ^ permissions to perform the activities require 

"workflow technology" relates to the computerization of careful ™* time-consuming maintenance. Particularly 

business processes previously carried out on paper, typically where lhe entire set of activities may be performed over a 

involving the physical handing-off of paper files from one lon S P«iod of Ume . such ^at individuals are likely to 

individual or workgroup to another as the steps in the change their job responsibilities during the completion of the 

business process are sequentially completed. More process, this practice can be troublesome. Extensive system 

specifically, workflow technology consists of a set of tools overhead, in the form of time and trouble to system admin- 

to define and manage business processes; its goal is the istrators and persons of similar responsibility, is required to 

complete or partial automation of a business process, with- ensiire ^at the connections between the individuals and the 

out loss of controls required throughout the process. This 35 activities they are permitted are constantly updated, 

requires, for example, that various individuals be provided U.S. Pat. No. 5,634,127 to Cloud et al discusses use of 

access to a particular computer file at corresponding times, workflow management as a means of conveniently interfac- 

and not at others. ing two otherwise incompatible systems, as occurs, for 

For example, suppose that according to preexisting prac- exam P le > when two banks havin S diffe , rin g computer sys- 

tices within a business, an equipment purchase requires that 4 o tems for accomplishing essentially similar tasks merge. By 

a purchase requisition is to be originated by an engineering ™PP»g the various svstem Actions from the two systems 

group, approved by an engineering manager, approved by an t0 identical workflow entities, the task of marrying the two 

accounting group, and approved by a particular vice- svstems 15 S reall y simplified. Hsu et al U.S. Pat. No. 

president, before being forwarded to the purchasing depart- 5,581,691 relates to a genenc workflow management sys- 

ment for ordering. Further, suppose the practice allows the 45 tem ' Smith et V ' S ' Pat " Na 5 > 181 > 162 refers to a d °cument 

approvals by the engineering manager and accounting group management and production system, e.g., for assemblmg the 

to be obtained in either order, as long as both are obtained P a S es and sectioDS of newspapers and the like. Workflow 

before the proposal goes to the vice president. It will be processing is referred to at column 5 as a means whereby the 

apparent that a considerable amount of time and resources access of various workgroups to the document can be 

must be devoted to getting the correct signatures on the 5 0 appropriately controlled, 

proper paper forms in the proper order, particularly if the 2. Role-Based Access Control 

various individuals involved are at different locations, or Role-based access control ("RBAC") is a methodology 

there is particular urgency. for controlling access to computer systems. The use of 

Such a well-defined business process is a good candidate RBAC is increasing in organizations, primarily because 

for automation according to present-day workflow technol- 55 RBAC reduces administrative cost and complexity as com- 

ogy. Essentially the process is originated by the original pared to other access control mechanisms. With RBAC, 

requisitioner creating a computer file, and passing it to a access is based on a user's role within an organization, 

workflow software program. The program "knows" the Consequently, access control administration is at a level of 

proper sequence of approvals and other steps involved, and abstraction that is natural to the way that organizations 

can prompt the various individuals and departments when it 60 typically conduct business. 

is their turn to handle the request. However, in order to Briefly stated, in RBAC systems, access to an object 

ensure the integrity of the process, it is important that the within a computer system is provided to "subjects" that are 

software ensure that access to the appropriate computer file the members of groups termed "roles"; all subjects belong- 

is passed in sequence from the engineering group simulta- ing to a given role have the same privileges to access various 

neously to the engineering manager and accounting group, 65 objects within the system. Individual "users" are then 

and thence to the vice president, followed by the purchasing granted access to objects by being assigned membership in 

department, and that, after each has completed their task, appropriate roles. 
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RBAC is considered useful in many commercial environ- 
ments because it allows access to the computer system to be 
conveniently organized along lines corresponding to the 
actual duties and responsibilities of individuals within orga- 
nizations. For example, RBAC allows the access provided 
by roles to conform to a preexisting hierarchy; in a hospital 
environment, members of the "doctor" role will have 
broader access to protected objects than would members of 
"nurse", who will in turn be given broader access than 
"health-care provider". Various types of privilege can be 
conveniently organized as a function of role assignments. 
For example, "doctor" membership may allow the user the 
privilege to read from or write to a pharmacy record, while 
"pharmacist" may only allow reading therefrom. Cardinality 
may be enforced; that is, only one general manager may 
exist at a given time. Roles may be exclusive; that is, an 
individual who is a member of "trader" in a commercial 
bank could not also be a member of "auditor" at the same 
time. 

A particular advantage of RBAC is mat it allows the 
access privileges provided to individuals to be very conve- 
niently reconfigured as the individuals change job 
requirements, simply by deleting one's original assignment 
to a first role and adding one to the new role. 

RBAC is described in "Role- Based Access Controls", 
Ferraiolo et al, Proceedings of the 15th NIST-NSA National 
Computer Security Conference, 1992, and operational 
RBAC software is available from several vendors. A rigor- 
ous mathematical basis for RBAC is provided by Ferraiolo 
et al, "Role based access control: Features and motivations", 
Annual Computer Security Applications Conference, IEEE 
Computer Society Press, 1995. This paper, which is not prior 
art to the present invention, is incorporated herein by ref- 
erence. See also Sandhu et al, "Proceedings of the First 
ACM Workshop on Role Based Access Control", ACM, 
1996, also not prior art to the present invention. 

Insofar as known to the present inventor, the applicable 
prior art does not suggest that RBAC might be employed in 
connection with workflow technology. 

OBJECTS OF THE INVENTION 

It is therefore an object of the invention to provide more 
convenient, less costly use of workflow technology by 
employment of RBAC as the access control method thereof. 

It is a further object of the invention to provide methods 
whereby RBAC may be employed to provide the access 
controls that are an important aspect of workflow technol- 
ogy- 
It is a further object of the invention to provide improved 
security in implementation of workflow technology by 
reducing the occurrences of unauthorized access to 
information, by employment of RBAC as the means to 
access a workflow system. Summary of the Invention In a 
system that supports RBAC, the role is the means by which 
access to a resource is determined. In RBAC, access to a 
resource by a user is permitted only if: 

(1) the permission required for access to the resource is 
assigned to a role; and 

(2) that role is assigned to the user requesting access to the 
resource; and 

(3) that role is activated in the user's session. 

In addition to a role's use for access control, a role may 
be used to refer to the set of operations to which the 
permission(s) associated with that role grants access. Some 
implementations of RBAC make use of this concept by 
presenting the role as a menu choice to the user. 
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According to the present invention, roles are used in still 
another way. Because a role is the means by which access to 
a resource can be enforced, assignment of a permission to 
perform an operation and the removal of such an assignment 

5 can be used as a means to sequence a set of operations. The 
sequencing of operations is the fundamental behavior 
required to support workflow. Thus, an RBAC mechanism 
can be used as a means of implementing workflow. 
According to the basic premise of workflow technology, 

10 a business process can be partitioned into sequential routing 
segments and parallel routing segments. A sequential routing 
segment has one or more activities which must proceed in a 
strictly sequential manner. A parallel routing segment has 
two or more activities which can proceed in parallel. The 

15 workflow specified by a process definition is managed by a 
workflow management system which enacts each segment in 
the order specified by that process definition. According to 
the invention, RBAC is used to define membership of 
individuals in groups, i.e., to assign individuals to roles, to 

20 assign permissions to roles, and to then activate the roles 
with respect to the process at appropriate points in the 
sequence. An RBAC system thus forms the basis for the 
enactment of workflow, i.e., an RBAC system is used as the 
basis for a workflow management system. Any individual 

25 belonging to the active role can perform the next step in the 
business process. Changes in the duties and responsibilities 
of individuals as they change job assignments are greatly 
simplified, as their role memberships are simply reassigned; 
the workflow process is unaffected. 

30 BRIEF DESCRIPTION OF THE DRAWINGS 

The invention will be better understood if reference is 
made to the accompanying drawings, in which: 

FIG. 1 illustrates an example of the partitioning of a 
35 business process into segments and activities, as required by 
the implementation of workflow technology; and 

FIG. 2 illustrates the relation between users, subjects, 
roles, and operations in an RBAC system. 

40 DESCRIPTION OF THE PREFERRED 

EMBODIMENTS 

The following definitions of terms used herein are pro- 
vided for the convenience of the reader, and are not to be 
construed to limit the invention. 
45 Access Control — The process of limiting access to the 
resources of a system only to authorized programs, 
processes, or other systems of a network. 
Activity — A description of a piece of work that forms one 
5Q logical step within a process. An activity is typically the 
smallest unit of work which is scheduled by a workflow 
engine during process enactment (e.g. using transition and 
pre/post-conditions), although one activity may result in 
several work items being assigned (to a workflow 
55 participant). 

AND-Split — A point within the workflow where a single 
thread of control splits into two or more parallel activities. 

AND-Join — A point in the workflow where two or more 
parallel executing activities converge into a single common 
60 thread of control. 

Business Process — A set of one or more linked proce- 
dures or activities which collectively realize a business 
objective or policy goal, normally within the context of an 
organizational structure defining functional roles and rela- 
65 tionships. 

Invoked Application — A workflow application invoked 
by the workflow management system to automate an 
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activity, fully or in part, or to support a workflow participant permissions to roles, and then activate the roles with respect 

in processing a work item. to the process at appropriate points in the sequence. An 

Object — A passive entity that contains or receives infor- RBAC system thus forms the basis for the enactment of 

mat i on workflow, i.e., an RBAC system is used as the basis for a 

Parallel Routing-A segment of a process instance under 5 workflow management system, 

enactment by a workflow management system, where two or ™5 tet st6 P,. ln ^process for using RBAC to enact 

more activity instances are executing in parallel within the Zf^Z I u ™ ° 15 P f 

lfl r. . ^ i.- i .u j # .1 workflow representing a business process into a sequence of 

workflow, Riving rise to multiple threads of control. t . , , „ , r , .... 

' B & F sequenUal and parallel routing segments, such that a con- 

Permissions— A description of the type of authorized ^ ventional workflow management system can ensure that the 

interactions a subject can have with an object. segments are processed in the order specified in the process 

Process Definition — The representation of a business pro- definition for the workflow. For example, see FIG. 1. The 

cess in a form which supports automated manipulation, such overall business process is partitioned into segments S 3 , S 2 , 

as modeling, or enactment by a workflow management S 3 , wherein Sj consists of a single activity A 14 . After Sj is 

system. The process definition consists of a network of J5 completed, the process is passed to an AND-Split processing 

activities and their relationships, criteria to indicate the start junction 10, as the following segment S 2 includes parallel 

and termination of the process, and information about the activities A^and A^, which may be processed in either 

individual activities, such as participants, associated infor- order, or simultaneously. When both activities x and A^ 2 , 

mation technology applications and data, etc. and thus S 2 , have been completed, process control passes to 

Resource — Anything used or consumed while performing 20 an AND-Join junction 12, whereupon control passes to a 

a function. The categories of resources are time, third segment S 3) comprising sequential activities A 31 , and 

information, objects, or processors. A3 2 , performed in that order. The process is then complete. 

Role— A job function within an organization that In an RBAC system, access to objects is managed at a 

describes the authority and responsibili conferred on a user level corresponding closely to the organization's structure, 

assigned to the role, or (as will be clear from the context) an 25 Eacn user is assigned one or more "roles", and each "role" 

abstraction created to identify the function of an activity is assigned one or more "permissions" that are authorized 

within a business process. for users in that role. According to the present invention, 

Stated differently, the role is the means by which access permissions consist principally of the opportunity to perform 

to a resource is determined; a role may also be used to refer operations within an activity of the workflow. FIG. 2 shows 

to the set of operations to which the permission(s) associated 30 schematically the conventional RBAC organization. Sub- 

with that role grants access jects 20, which can represent external programs 22, external 

Sequential Routing-A segment of a process instance s f tems ., 24 ' ° r individ « al «"« 26 > wh ° wUl normally be 

under enactment by a workflow management system, in identified to the system through a 'conventional identification 

which several activities are executed in sequence under a P^ss 28, are assigned to roles 30^ The subjects 20 can then 

single thread of execution. (No -split or -join conditions 35 perform operations 32 as assigned to the roles 30. In this 

occur during sequential routing.) connection, "operations includes "permissions required to 

_ , • access objects within the protected system, such as stored 

Session— -A mapping between a user and an activated doc^^^topc^nn^^esde^^partrf 

subset of the set of roles to which the user is assigned. ^ workflow ^ operations provided for each ro le C orre- 

Subject— An active entity, generally in the form of a 4Q sp0 nd to the duties and responsibilities of the persons having 

person, process, or device, that causes information to flow that role in the organization. 

among objects or changes the system state. Therefore, according to the invention, having separated a 

User— Any person who interacts directly with a computer workflow into sequential and parallel routing segments, 

system, or a computer process which may or may not given an activity in a sequential routing segment, an RBAC 

represent a person. 45 ro j e un iq Ue to that activity is created; permissions to perform 

Workflow— The automation of a business process, in that activity are assigned to the role; and the role is assigned 

whole or part, during which documents, information or tasks to the user responsible for performing that activity. The 

are passed from one participant to another for action, accord- activation of that role grants the user the permissions nec- 

ing to a set of procedural rules. essary to perform that activity. Once an activity has been 

Workflow Management System — A system that defines, 50 performed by the user, the permissions are withdrawn from 

creates and manages the execution of workflows through the the role, the user assignment for that role is withdrawn, and 

use of software, running on one or more workflow engines, the role is removed from the RBAC system. Where more 

which is able to interpret the process definition, interact with than one activity appears within a single sequential segment, 

workflow participants and, where required, invoke the use of as in segment S 3 of FIG. 1, the permissions corresponding 

information technology tools and applications. 55 to the activities are granted and withdrawn, by means of role 

As set forth above, according to the basic premise of assignment, in sequence as the activities are completed; in 

workflow technology, a business process to be automated is effect, the role unique to the segment is passed between the 

partitioned into a sequence of sequential routing segments activities as a token, ensuring that the activities are pro- 

and parallel routing segments. A sequential routing segment cessed sequentially, in the order specified by the process 

has one or more activities which must proceed in a strictly 60 definition. When all activities . in the sequential routing 

sequential manner. A parallel routing segment has two or segment have been completed in the order specified, the next 

more activities which can proceed in parallel. The workflow segment in the workflow is processed, 

specified by a process definition is managed by a workflow Given a parallel routing segment, such as segment S 2 of 

management system which enacts each segment in the order FIG. 1, a role unique to each activity in the segment is 

specified by that process definition. According to the 65 created for all activities in that segment. Permission to 

invention, RBAC is used to define membership of individu- perform each activity is assigned to the unique role for that 

als in groups, i.e., to assign individuals to roles, assign activity and the role unique to that activity is assigned to the 
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user who performs the activity; that is, any individual perform the corresponding activity (A lfl ) to R0LE(A 14 ), 

belonging to the active role can perform the next step in the assigns ROLE(A 1 j) to one or more members of the project 

business process. Once these assignments have been made team, activates ROLI^Aj J in the first session, and sleeps, 

to all activities in the parallel routing segment, all of these 2. By accessing OP(A 1f1 ), possibly in response to a 

activities are enabled for activation, such that they may all 5 prompt communicated automatically upon activation of 

be executed in parallel. All activities are activated in a ROLE^Aj j), a member of the project team belonging to 

manner such that each activity's unique role is activated for ROLE^A/^) electronically fills in the purchase request form 

a session of the user responsible for that activity. When all and signs 'it under the direction of the invoked application 

activities in the parallel segment have been completed, the \A 1A initiated by OP(A 1 2 ) . The successful completion of 

next segment in the workflow is processed. IA ' results in sending asuccessful completion message to 

FIG. 1, discussed briefly above, gives an example of a P4feW/R(WPR). 

workflow for automating a simple business process. As used 3. P4EW/R(WPR) is then awakened. As a result of 

for the generation and approval of a purchase request, the receiving the successful completion message from OP(A a fl ), 

steps are as follows: P4EW/R(WPR) removes ROLE(Aj 3 ) and the associated 

Sequential Routing Segment S,: assignments. It now creates role ROLE^ ), makes the 

A •« a a u f • , tanm t u« 15 assignments to ROLE(A> ,) necessary for the second mem- 

Activity A, A member or a project team, the s v ^> 1J _ An/ a \ j *• * 

/v. ' u Z * /dd\ u„ ™ ber of the project team to perform OP(A 21 ), and activates 

requisition^, vitiates a purchase request (PR) by ere- R0L£ ^ ^ ^ £ ^ activities ^ 

ating an electronic PR form and digitally signing the and a 2 ^P4EW/R(WPR) also creates ROLE(A 2 2 ), makes 

form. According to the business process, the form must ^ ass Jg nmeQts Dece ssary for the project team to perform 

now go to the other two members of the project team 2{J Qp ^ ^ and activales ROLE^ 2 ). P4EW/R(WPR) 

for their digital signatures indicating their approval. sleeps ' 

Parallel Routing Segment S 2 : 4 A member of ROLE(A 2 ^ performs OP(A 22 ); in the 

Activity A 2A — Second member of the project team digi- example, reviews the purchase request for the widget, and 

tally signs. signs. This action causes 0P(A 22 ) to send a successful 

Activity A^— Third member of the project team digitally 2 5 completion message to P4EW/R(WPR). 

signs. ' 5. P4EW7R(WPR) is awakened by the receipt of the 

Sequential Routing Segment S 3 : message indicating the successful completion of OP(A 22 ), 

Activity A 3 l — The project manager digitally signs indi- removes ROLE^ 2 ) and its associated assignments from 

eating approval. the RBAC system, and records the completion of OP^ j2 ). 

Activity A 3 2 — The division manager digitally signs indi- 30 P4EW/R(WPR) sleeps. 

eating approval. 6. A member of ROLE (P^ t i) performs OP(A 2 a ); in the 

Once all of the signatures have been obtained, the PR example, reviews the purchase request for the widget, and 

form goes to the purchasing department. signs. This action causes OP^ j) to send a successful 

This workflow example has a parallel routing segment completion message to P4EW/R(WPR). 

and involves human interaction. Consequently, there can be 35 7. P4EW/R(WPR) is awakened by the receipt of the 

more than one possible sequence of events that takes place message indicating the successful completion of OP^ a ), 

as this workflow is processed. In particular, various indi- removes ROLE^ A ) and its associated assignments from 

viduals may have corporate authority to provide the various the RBAC system, and records the completion of 0P(A 2 a ). 

approvals needed at each segment. It is complex to provide 8. Since both activities of segment S 2 have now been 

sufficient "connections" between all authorized individuals 40 successfully completed, P4EW/R(WPR) creates 

and the segments of the workflow, particularly where many ROLE(A 31 ), assigns permission to perform 0P(A 3jl ) to 

persons may have authority to perform certain activities. ROLE^ j), assigns ROIJ^A^), in the example, to the 

According to the invention, the right to perform the various manager of the project team, activates ROLE(A 3 a ) and 

activities are assigned to RBAC roles, and the individuals sleeps. 

are assigned membership in the roles. The number of 45 9. The manager of the project team performs 0P(A 31 ), 

connections needed to be maintained between the user and that is, reviews the purchase request for the widget and 

roles and roles and activities in a system according to the signs. This action causes OP^ J to send a successful 

invention is much less than the number of connections completion message to P4EW/R(WPR). 

between users and activities in a non-RBAC workflow 10. P4EW/R(WPR) is awakened by the receipt of the 

system; this disparity grows as the membership in the roles 50 message indicating the successful completion of OP(A 3 4 ) 

increases. and deactivates R0LE(A 3jl ). P4EW/R(WPR) then assigns 

The following presents one possible sequence of events in permission to perform OP(A 3 2 ) to ROLE(A 3 2 ), assigns 

performance of the process of enacting workflow using ROLE(A 3 2), e.g., to the division manager, activates ROLE 

RBAC according to the invention. The example refers to a (A3 2), and sleeps. 

software program P4EW ("Process for Enacting Workflow") 55 11. The division manager then performs OP(A 32 ) by 

implementing the invention; in effect, P4EW provides an reviewing and signing the purchase request for the widget, 

interface between conventional RBAC and workflow pro- 0P(A 3 2 ) then sends a successful completion message to 

cessing software. P4EW/R(WPR). 

1. First member of the project team selects a menu item 12. P4EW/R(WPR) is awakened. As a result of receiving 

to purchase a widget. This action initiates P4EW/R(WPR) to 60 the successful completion message from 0P(A 32 ) it 

enact the workflow WPR for generation and approval of a removes, role KOLE(A 3 ^) and its associated assignments 

purchase request for a widget. (In this description, the from the RBAC system. 

notation "WPR" identifies the workflow wf for this specific The successful completion of workflow WPR causes 

purchase request; "WPR" becomes the argument to P4EW/ P4EW/R(WPR) to terminate and be removed. 

R(wf).) 65 The method for employment of RBAC for controlling the 

Specifically, a subroutine of P4EW/R(WPR), OP(A 1 2 ), permission of individuals to carry out operations with a 

then creates role ROLE(A 1 a ), and assigns permission to workflow process according to the invention thus requires 
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(1) that the workflow be decomposed into sequential and 
parallel segments; (2) that roles be created corresponding to 
each activity within each segment; (3) that, for each activity 
within each segment, permission to perform the operations 
thereof be assigned to the corresponding roles; (4) that 
individuals be assigned to each role; (5) that the roles be 
activated; (6) that each permission be withdrawn as the 
operations are completed; and (7) that the roles be deacti- 
vated as the segments are completed. If the segment under 
consideration is parallel, step (7) is simply delayed until all 
of the activities of all parallel processing paths are com- 
pleted. 

It will be apparent to those of skill in the art that in this 
way the advantages inherent in the RBAC system, in 
particular, the simplification of assignment of individuals to 
privileges by simply mirroring the organizational structure, 
and RBAC's ease of making changes in personnel 
privileges, can be used to simplify the administration of a 
workflow system. That is, by assigning the privilege to 
perform activities in the workflow system to roles rather 
than individuals, any individual assigned to an active role 
can perform the activity. Changes in the duties and respon- 
sibilities of individuals simply require their reassignment to 
new roles; the workflow process is not affected. 

The following provides a detailed statement of the steps 
in setting up workflow processing of a sequential routing 
segment S } - using RBAC to control access to the activities, 
according to the invention. 

Create ROLES, in the RBAC System 

For each activity A,.^ k=l, . . . , in S y : 

Assign permission to perform operation OP A (wi) to 

ROLE,, 
Assign r6lES^.. to USER A 

Enable the capability for OP A , (wf) to be activated 
Sleep, resuming at next line when completion message 

received from OP. (wf) 
Remove assignment of ROLE^. from USER A ^ 
Remove permission to perform operation OP A .^(wf) 

from ROLE^. ' 
Disable the capability for OP Ayjt (wf) to be activated 
If completion message indicated error: 

notify P4EW/R(wf) administrator or terminate 
Remove ROLE s . from the RBAC System 
The following provides a detailed statement of the steps 
in setting up workflow processing of a parallel routing 
segment S y using RBAC to control access to the activities, 
according to the invention. 

For each activity A y -^, k=l, . . . , N 5 in S ; -: 
Create ROLE Am in the RBAC System 
Assign permission to perform operation OP A (wf) to 
ROLE 

Assign ROLE A . to USER. 

Enable the capability for OP A ^(wf) to be activated 
while not all OP A ^(wf) completed: 

Sleep, resuming at next line when completion message 

received from any OP A (wf) 
Remove assignment of ROLE A> from USER A 
Remove permission to perform operation OP A (wf) 

fromROLE^ 
Remove ROLE A from the RBAC System 
Disable the capability for OP^ (wf) to be activate(l 
If completion message indicated error: 

For all OP A . (wf) still active: 
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Terminate OP A ^(wf) 

Remove assignment of ROLE A ^ from USER A ^ 
Remove permission to perform operation OP A 
(wf) from ROLE Am 
5 Remove ROLE A . from the RBAC System 

Disable the capability for OP Aj Jwf) to be acti- 
vated 

notify P4EW/R(wf) administrator or terminate 
Record the completion of OP^wf) 

io With this information, a person of ordinary skill in the art 
would have no difficulty in implementing the invention. 

While a preferred embodiment of the invention has been 
described, it will be appreciated by those of skill in the art 
that further enhancements and modifications thereto are 

15 possible, specifically in connection with the details of 
assignments of roles to activities to segments within the 
workflow process. That is, in the above, roles are created, 
assigned, activated, and removed on an activity by activity 
basis thereby granting and removing permissions for a user 

20 to perform activities within a given segment in order to 
ensure that the activities are performed in the correct 
sequence and to ensure that unauthorized access does not 
result. Accordingly, these and other modifications to the 
preferred embodiment disclosed herein are intended to be 

25 within the scope of the following claims where not specifi- 
cally excluded thereby. 
What is claimed is: 

1. A method for employment of role-based access control 
(RBAC) techniques for controlling the ability of individuals 

30 to carry out operations within a workflow process, compris- 
ing the steps of: 

(1) decomposing the workflow process into sequential and 
parallel segments, each comprising one or more 
activities, wherein access to at least one specific 

35 instance of a resource is required for performance of 
each activity, said segments being ordered for perfor- 
mance in a defined sequence; 

(2) creating roles corresponding to each segment in a 
role-based access control (RBAC) system, wherein a 

40 role is the means by which access to a specific instance 
of a resource is determined, whereby each of the 
activities comprised by each of the segments is 
assigned to one or more of the roles corresponding to 
each segment; 

(3) assigning one or more individuals to each role; 

(4) activating each role when all activities of all preceding 
segments have been successfully performed, by grant- 
ing individual(s) assigned to an activated role permis- 

50 sion to perform each activity within the corresponding 
successive segment; 

(5) withdrawing each permission as the corresponding 
activity is completed; and 

(6) deactivating each role as the corresponding segment is 
55 completed. 

2. The method of claim 1, wherein if the segment under 
consideration is parallel, step (6) is performed only after all 
of the activities thereof are completed. 

3. The method of claim 1, wherein each role is activated 
60 only as the preceding activity is completed. 

4. The method of claim 1, wherein each permission is 
granted only as the preceding activity is completed. 

***** 
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